[Lxc-users] container affecting host - lxc-1.0.0alpha1 on ubuntu 13.10

[Serge Hallyn]

Quoting Marc Paradise (marc at opscode.com):
> On Fri, Oct 25, 2013 at 10:30 AM, Serge Hallyn <serge.hallyn at ubuntu.com>wrote:
> >
> >
> > Can you please do an lxc-start with '-l info -o outfile' options and
> > attach the outfile?  Also show the /proc/self/mounts and
> > /proc/self/mountinfo contents from both the host and the container.
> >
> 
> I've attached mountinfo and mounts from the host, but I can't reach the
> guest via console or ssh to grab the same there.

You don't need to.  You can ps -ef to find an /sbin/init that is not pid
1, and do /proc/$pid/mount{s,info} for that pid.

The main thing I notice in your logs is that

21 15 0:16 / /sys/fs/cgroup rw,relatime - cgroup cgroup rw,hugetlb,perf_event,blkio,freezer,devices,memory,cpuacct,cpu,cpuset
...
33 21 0:26 / /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime - cgroup systemd rw,name=systemd

These are weird.  Normally we have all cgroups mounted separately in
subdirs of /sys/fs/cgroup.  I.e. freezer on /sys/fs/cgroup/freezer,
cpuset on /sys/fs/cgroup/cpuset, etc.  You don't have cgroup-lite
package installed?  What is mounting /sys/fs/cgroup?  Is it done by
/etc/fstab?

Secondly, since /sys/fs/cgroup is a cgroupfs, it is not ok to
create a directory under that and mount systemd cgroup system over
it.  /sys/fs/cgroup/systemd, once created, represents a cgroup called
systemd, which tasks can be inserted into.  If you now, for instance,
create a container called 'systemd' you'll be in a world of hurt.

-serge